ports/127502: [PATCH]graphics/png: update to 1.2.32, which includes security fix

bf bf2006a at yahoo.com
Sat Sep 20 03:30:02 UTC 2008 

>Number:         127502
>Category:       ports
>Synopsis:       [PATCH]graphics/png: update to 1.2.32, which includes security fix
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 20 03:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     bf
>Release:        7-STABLE i386
>Organization:
-
>Environment:
>Description:
Shortens tIME_string to 29 bytes in pngtest.c, and resolves: 

Name: CVE-2008-3964
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3964
Phase: Assigned (20080909)
Category: 
Reference: MLIST:[oss-security] 20080909 CVE request (libpng)
Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/09/3
Reference: MLIST:[oss-security] 20080909 Re: CVE request (libpng)
Reference: URL:http://www.openwall.com/lists/oss-security/2008/09/09/8
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=624518
Reference: CONFIRM:http://sourceforge.net/tracker/index.php?func=detail&aid=2095669&group_id=5624&atid=105624

Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4
before 1.4.0beta34, allow context-dependent attackers to cause a
denial of service (crash) or have unspecified other impact via a PNG
image with crafted zTXt chunks, related to (1) the png_push_read_zTXt
function in pngread.c, and possibly related to (2) pngtest.c.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -ruN png.orig/Makefile png/Makefile
--- png.orig/Makefile	2008-09-19 07:10:25.361949152 -0400
+++ png/Makefile	2008-09-19 07:16:25.947495918 -0400
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	png
-PORTVERSION=	1.2.31
+PORTVERSION=	1.2.32
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	lib${PORTNAME}
diff -ruN png.orig/distinfo png/distinfo
--- png.orig/distinfo	2008-09-19 07:10:25.371953496 -0400
+++ png/distinfo	2008-09-19 07:16:25.947495918 -0400
@@ -1,3 +1,3 @@
-MD5 (libpng-1.2.31.tar.bz2) = 78d2f8c4e0d64f8948819563587302d3
-SHA256 (libpng-1.2.31.tar.bz2) = 24b354dcd8843274a20e1625e04d618d43f9851082254cb9dae6f33f15c2a5cd
-SIZE (libpng-1.2.31.tar.bz2) = 625715
+MD5 (libpng-1.2.32.tar.bz2) = df4a20c6f24a6f642ae11c9a5a4ffa7f
+SHA256 (libpng-1.2.32.tar.bz2) = 928cd5f6aa2ccce97125a3add90479b901df902f27cefbb2052b89d92e7d757f
+SIZE (libpng-1.2.32.tar.bz2) = 639460
diff -ruN png.orig/files/patch-ab png/files/patch-ab
--- png.orig/files/patch-ab	2008-09-19 07:10:25.361949152 -0400
+++ png/files/patch-ab	2008-09-19 07:16:25.937492412 -0400
@@ -12,7 +12,7 @@
  
  Name: libpng
  Description: Loads and saves PNG files
- Version: 1.2.31
+ Version: 1.2.32
 -Libs: -L${libdir} -lpng12
 +Libs: -L${libdir} -lpng -lz -lm
  Cflags: -I${includedir}


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list